250,000 WordPress sites vulnerable due to critical vulnerability in Facebook plugin


 Some 250,000 WordPress sites are vulnerable to attacks due to a vulnerability in the "Facebook for WordPress" plugin. Previously known as Official Facebook Pixel, this plugin installs the Facebook pixel on WordPress sites. Administrators can use the pixel to track the actions of their visitors on the website.


Researchers from security company Wordfence discovered that it is possible for an attacker to send a PHP object to the pixel console with which to perform certain actions. One of these actions involves uploading arbitrary files, enabling remote code execution.


In order to perform the attack, an attacker must have access to the salts and keys of the website. WordPress uses this information to secure information in the cookies used to log in users. Obtaining this information could be through SQL injection, path traversal or a publicly accessible backup of the wp-config.php file. The vulnerability has been rated 9 for impact on a scale of 1 to 10.


The developers of the plug-in were notified of the vulnerability on December 22. On January 6, the issue with the launch of plug-in version 3.0.0 was fixed. Facebook for WordPress is used by more than 500,000 websites. According to WordPress figures , nearly half of these websites are running a vulnerable version of the plugin. Administrators are therefore prompted to install the latest version of the plug-in.


In addition, Wordfence also discovered a second vulnerability with an impact score of 8.8. This vulnerability makes it possible to inject rogue JavaScript if an attacker convinces an administrator to click on a rogue link. This vulnerability is present in versions 3.0 to 3.3 of the plugin and has been fixed in version 3.0.4. How many websites are at risk from this vulnerability cannot be determined via the WordPress statistics.

Previous Post Next Post